Battling app sprawl

Iron Contributor

Yes, I know there are controls to prevent new apps from being used in an org. We use them. 


We are finding more and more though, that people are looking for alternatives to Teams for doing various things. When we look at the use-cases and what they are looking to add, pretty much all the time, Teams can still meet their needs. 

We have tried doing education and hands-on to show people what Teams can do.

We have stated over and over it's not just a matter of app capability but of security and privacy; we can much more closely safeguard the data when its in the O365 ecosystem.

We have done the work to show Teams abilities and a business case for data security, privacy and governance, yet people still persist to add new apps to the environment. One example is Asana. We've used it and honestly, it does the SAME exact things Teams does in connection with Planner and Outlook. Does it come down to an education issue? "Look, you can do all the same things in Asana as you can in Teams AND we can better secure the data."

Anyone have any advice? Thanks.

6 Replies



@Christopher Hoard @Chris Webb @ChristianJBergstrom - you guys are experts - any suggestions?

@Therese_Solimeno @Jleebiker Hey, sorry. In study mode lately for a bunch of certifications.


When it comes to Teams and all the apps you can as an admin be very helpful to your organization by using the Teams app setup policies and permission policies. You can pin apps for the users, be selective and install apps and messaging extensions as well. You can use custom policies too. By using this approach, in combination with organizational information, you will not only prevent sprawl but also narrow down what apps are available in Teams for the users to use, or simply highlight a couple by installing/pinning.


Manage app policies in Teams - Microsoft Teams | Microsoft Docs

I get that, but take the case of Asana specifically. You can use the web version. No install needed. People are going to find a way to access it. This is how Shadow IT rises, when IT orgs don't provide the services/products people THINK they need.

There are plenty tools in the M365 environment if the Teams app policies aren’t sufficient. You can block access with Defender for Endpoint, and apps with Defender for cloud apps as an example.

Hmm... Will take a look at Defender. We use it for Endpoints, wasn't aware we could use it for cloud apps as well. That will help, but the other part of that is the education to our staff to look at the MS ecosystem for a solution before going out and shopping for something else. I think that's a whole different strategy.
best response confirmed by Therese_Solimeno (Moderator)

@Jleebiker @Therese_Solimeno 


Hi all,


It depends where the apps are surfaced, but generally speaking it's a combination of the Teams Admin Centre together with Intune (MAM or MAM + MDM) Defender for Cloud Apps/Defender for Endpoint. However, this will be dependent on how users use those apps. It will also depend on such extra actions such as preventing them in the 365 environment from signing up to trials. 


For example, if you have users who just come in and use their desktop in the office then you could configure Defender for Cloud Apps and control it based upon the Perimeter Appliance, and ingest the logs in Defender for Endpoint and then, for example, use a combination of Intune and Applocker to prevent that. If the users are working from home outside the perimeter it could be a combination of DFE/DFCA and then Unsanction the apps. In terms of Mobile, with full MDM you can block the apple App Store and push out the apps you want.


But also just to add that ultimately, you can't prevent Shadow IT completely, because users can have personal devices and use things like WhatsApp. However, via the above methods it should give you pretty tight control over app usage for business devices. 


Best, Chris